ITP, Mail Tracking Prevention, Privacy Sandbox: Current State of Technical Privacy Protections

ITP, Mail Tracking Prevention, Privacy Sandbox: Current State of Technical Privacy Protections

Lucas LongPrivacy and ComplianceLeave a Comment


The evolving privacy environment is ushering in changes for marketers due to three primary shifts: changing consumer sentiment, new privacy legislation, and technical changes restricting data access. While much has been said about the looming crumbling of cookies, technical changes are far more wide reaching and impactful than just third-party cookies going away. Let’s explore the main technical developments and what they mean for your daily activities:

Intelligent Tracking Prevention (Safari)

Summary

Safari’s Intelligent Tracking Prevention (ITP) was the first major browser effort to deprecate support for third-party cookies and limit the access to persistent identifiers across the web. ITP is still the most restrictive browser privacy mechanism across the three primary browsers by user adoption (Chrome, Safari, Firefox) and limits the ability for both third-party and first-party cookies to be stored and accessed from a user’s device.

Impact on Third-Party Cookies

All access is restricted except via the Storage Access API. For purposes of marketing and advertising technology, third-party cookies are effectively no longer available.

Impact on First-Party Cookies

For first-party cookies set via JavaScript (with document.cookie), expiration will be set to 7 days. If first-party cookies are set in this manner and the page has query string parameters appended and the referring domain is a known tracker, the expiration will be set to 24 hours. For purposes of marketing and advertising technology setting first-party cookies via JavaScript, it is likely the first-party cookies set will have an expiration of just 24 hours. 

What Marketers Need to Know

Many organizations are preparing for the “cookieless future”; if your user base is primarily accessing your digital properties via the Safari browser, this future has been your reality since 2021. Effectively for these users, access to a persistent pseudonymous identifier is non-existent in a cross-domain context and significantly limited even on your own websites. This lack of identifier access means targeting strategies like remarketing are not possible for Safari users and deterministic attribution beyond last-click is unreliable if relying on cookie-based identifiers. 

Intelligent Tracking Prevention (iOS14)

Summary

With Apple’s release of iOS14 for iOS and iPadOS in late 2020, all browsers running on this operating system must have WebKit’s ITP mechanisms on by default. This means that the ITP protections as outlined above for Safari will apply for any browser running on iOS or iPadOS running iOS14 or later. 

Impact on Third-Party Cookies

All access is restricted except via the Storage Access API. For purposes of marketing and advertising technology, third-party cookies are effectively no longer available.

Impact on First-Party Cookies

For first-party cookies set via JavaScript (with document.cookie), expiration will be set to 7 days. If first-party cookies are set in this manner and the page has query string parameters appended and the referring domain is a known tracker, the expiration will be set to 24 hours. For purposes of marketing and advertising technology setting first-party cookies via JavaScript, it is likely the first-party cookies set will have an expiration of just 24 hours. 

What Marketers Need to Know

Often lost in the ITP and Safari discussion is the fact that with the iOS14 updates those restrictions are also applicable for Chrome, Firefox, or any other browser being used on an Apple mobile device. If your user base is heavily using iPhones to access your digital properties (as is the case for many premium brands) you are living in the cookieless future. Again, any cookie-based targeting or measurement strategies will be significantly limited in the absence of technical architecture updates meant to specifically address these challenges. 

Enhanced Tracking Prevention (Firefox)

Summary

Following Apple’s release of Intelligent Tracking Prevention for Safari, Firefox introduced their own technical restrictions on the storage and access of cookies in users’ browsers. Similar to ITP, this mechanism effectively deprecates support for cross-domain third-party cookies and places significant duration restrictions on first-party cookies used for purposes of marketing and advertising.

Impact on Third-Party Cookies

Access to third-party cookies is restricted for “known trackers”. Known trackers are any request from a domain on the disconnect.me list of known tracking domains. For purposes of marketing and advertising technology, third-party cookies are effectively no longer available.

Impact on First-Party Cookies

Storage of first-party cookies associated with known trackers is purged every day unless the user has interacted with the site within the last 45 days. Effectively for first-party cookies, this enforces a max 45-day expiry for first-party cookies associated with advertising platforms.

What Marketers Need to Know

For whatever proportion of users accessing your digital properties with a Firefox browser, cookie-based audience creation and targeting techniques will be unavailable. Further, this proportion of the user base will have significant restrictions for multi-touch attribution and measurement beyond recent bottom-of-funnel activities. It is important to understand what proportion of users are leveraging this technology and take that into account when considering strategies to employ moving forward.

Cookie Restrictions in Google Chrome

Summary

Google has made the stated intention of phasing out support for third-party cookies by the end of 2023 as a part of the Privacy Sandbox initiative. At the current time, deprecation has not yet happened.

Impact on Third-Party Cookies

No restrictions on the access of third-party cookies. Google has made the stated intention to deprecate support for third-party cookies by the end of 2023. Chrome plans to introduce purpose-specific browser APIs to support use cases currently supported by third-party cookies in a privacy-safe manner prior to the deprecation of third-party cookie support (Privacy Sandbox).

Impact on First-Party Cookies

No restrictions on the access of first-party cookies.

What This Means for Marketers

It is still “business as usual” with respect to cookies for Google Chrome users. As the most popular browser in use on the market today, this means traditional techniques for audience creation and measurement are largely not impacted for a majority of users. It is important to understand that this is changing in the near future with similar restrictions as those already introduced for Safari and Firefox users set to be implemented. Begin to assess current strategies and technologies to transition to non-cookie based approaches to targeting and measurement.

Ad Blockers

Summary

Ad blockers work by blocking network requests being sent from known tracking domains. This has the effect of blocking any data being sent to these domains, as well as blocking any cookies from being placed or read on the user’s browser. When an ad blocker is in use, effectively no tracking nor audience building can be accomplished by platforms running their scripts via client-side javascript.

Also relevant to the ad blocker discussion are opt-out provisions in new U.S. privacy laws allowing for a universal opt-out signal (ex. Global Privacy Control) to be a valid indicator of opt-out. It is likely that ad blockers will adopt support for these signals and therefore allow users to automatically opt-out of restricted processing activities regardless of the method via which the data is collected. 

What This Means for Marketers

Ad blocker adoption by users is consistently growing with some studies citing as much as 25% of users currently using an ad blocker of some sort when navigating the internet. Be aware of this proportion of users using these technologies and include that in measurement models assessing the effectiveness of current advertising strategies.

Apple Mail Privacy Protection (iOS15 Update)

Summary

Apple’s Mail Privacy Protection applies to emails accessed via Apple’s Mail application on iOS. When enabled, the user’s IP address is hidden so senders can’t link it to other online activity or determine the device’s location. It also prevents senders from seeing if the email has been opened by blocking trackers embedded in the email. 

What This Means for Marketers

Email marketing is a cornerstone of personalized outreach for many organizations. Part of personalization strategies are often geo-location-based messaging and the measurement of campaign effectiveness by looking at open rates, clicks, and associated conversions. With Mail Privacy Protection, for any users accessing email messages via Apple’s Mail application (most common for email clients for iPhone users), metrics like open rate will not be measurable and geo-location personalization will be unreliable. Email marketers need to evaluate new campaign metrics for reporting and alternative means of personalization. 

Apple iCloud Private Relay (iOS15 Update)

Summary

Private relay is designed to protect the user’s privacy by ensuring that when browsing the internet in Safari, no single party can see both who the user is and the sites they are visiting. When enabled, network requests are sent through two separate, secure internet relays. When the requests are sent to the first relay, the IP address is visible but the DNS records are encrypted so the Network Provider nor Apple can not see the address of the website being visited. The request is then sent to a second relay which generates a temporary IP address and decrypts the name of the website being requested to connect the user with the site. 

iCloud Private Relay is a feature available to iCloud users which must be enabled as part of an iCloud+ subscription. It is not currently available in all countries or regions and is currently in beta in iOS15, iPadOS 15, and macOS Monterey.

What This Means for Marketers

For user’s with Private Relay enabled, any kind of geolocation targeting, personalization, or measurement will be unavailable. Many ad tech platforms rely on the user’s IP address for these features to power campaign targeting and measurement. It is important for marketers to evaluate technologies currently in use and reliance on this piece of information. While the adoption rates across your user population of Privacy Relay is likely to be small, the inclusion of this feature points to a trend of IP address masking for users. Any strategies reliant on the ability to access a user’s IP address are likely to be at risk moving forward. 

Apple Hide My Email (iOS15 Update)

Summary

Apple’s Hide My Email feature allows users to generate unique random email addresses on demand for use when filling out forms, signing up for newsletters on the web, or sending emails with the Mail app. When Hide My Email addresses are created by the user, they are available in iCloud settings and will forward to the user’s primary personal email address. These “fake” email addresses are then available for use by the user when submitting an email.

Hide My Email is available to iCloud+ subscribers using iOS15 or later (iOS15.2 or later for use when sending emails via the Mail app).

What This Means for Marketers

Many of the “cookieless world” solutions being introduced in the market center around a user-provided persistent identifier which can be used to identify a user over time on an organization’s owned properties, as well as on other locations across the web and devices. The primary persistent identifier used is a user’s email address. The Hide My Email feature allows a user to use any number of different “fake” email addresses as they register for services across the web. As adoption of this type of technology grows, the reliability of email as a persistent identifier drops significantly. With this in mind, it is important to begin exploring audience creation and measurement techniques which are not reliant on any kind of user identifier but instead focus on anonymous interaction data able to be gathered across consumer touch points. 

Conclusion

As can be seen, technical privacy protections being introduced for users are having a significant impact on marketing and advertising activities. Hope is not lost! While change is coming for the industry, there are privacy-centric strategies that can be pursued to mitigate risks and develop a competitive advantage for your organization. Reach out to us today to take the first steps in your journey to privacy-centric marketing!  

Confused about privacy-centric marketing?

We're here to help your organization develop a strategy.

Facebook Comments